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Prelude 


JL is a small accounting company residing in Perth, Western Australia. JL currently 
employs five people — none of whom has any IT expertise or literacy. There are plans to 
expand the number of employees to at least 10. The boss’s 17-year-old niece was 
responsible for all computer and network related matters for the past two years. JL are 
progressively moving into the online market and have started communicating and 
sending confidential documents to its clients using a variety of online services. In recent 
months, employees have noticed; computers progressively operating slower, and 
random malware inspired popups are being displayed. The following list contains an 
overview of the current situation within JL: 


*The SOE consists of Windows 10 laptops, all of which are currently updated with 
the most recent Microsoft updates. 

*None of the laptops contains any security software. 

Internet access is via ADSL using a D-Link DSL-2740B wireless router. 

A QNap TS-412 NAS is used to backup workstation data (at each employee’s 
discretion) using WinSCP. The username/password for the NAS admin account 

is admin/admin. 

A Windows 2000 Server was previously operational in the organisation, but a power 
surge resulted in the power supply no longer functioning. 

Each employee receives on average 40 spam messages each day. 

In July 2017 — two workstations succumbed to a ransomware attack and JL paid the 
ransom. 
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e There are currently no policies or rules guiding employees on how to best utilise 
resources and conform to ideal cyber security conscious behaviours. 

e Employees can access each other’s computers and email accounts. 

e Confidential data is emailed/stored without using any cryptographic techniques. 

e Last week an employee found a USB flash drive in the car park and plugged it into 
their computer. Since then, the employee has claimed that the computer appears to 
have “a mind of its own”. 

(Edith Cowan University, 2019) 


Introduction 


Developing recommendations for a small client takes the same base analysis processes as 
for a client of any size, the recommendations are scaled to fit for the client. In this report, 
we assess and then develop recommendations (countermeasures) for JL referencing publicly 
available information, industry information and, field experience. The Standard Operating 
Environment (SOE) of JL is described in the image below: 
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FIGURE 1 - STANDARD OPERATING ENVIRONMENT 
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Identification of Threats and Vulnerabilities 

JL’s Standard Operating Environment (SOE) consists of notebook PC’s running Windows 10 
(unidentified edition) and a Windows 2000 server. ADSL internet is provided by a D-Link 
DSL-2740B (N300) router with Wi-Fi capability (D-Link, n.d.). 


The server is not currently function is well out of date and, in standard configuration not 
able to adequately manage the standard PC in the environment. We will assume that the 
standard PC’s are not connected to a local domain since the server is so aged and is not 
operational; there is no server assigned policy enforcement in the client environment. 


Access to the network and internet must be controlled to ensure no unauthorized access 
onto the network. Unless correctly configured the N300 will allow any new device 
connected via ethernet or Wi-Fi, an unmanaged or personal device is a potential threat. 


Wi-Fi is a vulnerability. Without a sufficiently secure configuration, it offers weak security. 
Operating in no security or WEP mode provides no effective resistance to unauthorized 
connection to the network, standard WPA PSK and even WPA 2 provide only a time delay 
and a tool has been previously tested and cited (ScienceDirect, n.d.)(“Aircrack-ng,” n.d.). 


The absence of configured automatic updates, although the Windows 10 clients are 
currently up to date, and absence of security software, are a significant vulnerability, a 
weakness that places the client at risk of compromise (Stallings & Brown, 2015). All 
connected equipment requires the latest security updates, including device firmware for 
routers, printers and so forth. Firewalls on each connected workstation should also be in 
place. 


Default usernames and passwords are currently shared, effectively unsecured access is in 
use in the SOE providing easy access for an attacker after gaining access and unrestricted 
access for employees meaning there is no access accountability. Note that the modem is not 
compatible with NBN. The QNap TS-412 has cloud access and other features which needs to 
be controlled, i.e. disabled (QNap, n.d.). 


It cannot be presumed that any equipment is free of malware. Soam messages can be 
assumed to be an unnecessary waste of time at best or, social engineering, phishing, spear 
phishing, carriage of malware or, other types of threats. 


Recommendations 


A complete overhaul of the SOE will be required. There are no workstations or servers 
currently in place that can be trusted to be free of malware given their present insecurity, 
history and, the present evidence of malware. This will include disconnection of all existing 
workstations, servers and equipment, ensuring the security and configuration of the modem 
router with updates, establishment of a new server since expansion is also planned, with all 
other workstations and equipment offline, i.e. a separate network - the N300 is due to be 
replaced in any case - and, bringing online of all other clean (new) installed workstations and 
hardware progressively including new firmware updates. Care must be taken to ensure 
segregation of the new and old networks to avoid the transfer of malware. 
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As there are no current policies and procedures for IT, develop an Information Technology 
Policy and Procedure Manual and adopt it in employee standards and procedures. 
Alternatively, a template is available from Business Victoria (Business Victoria, n.d.). The use 
of default username/password combinations is insecure, and all default passwords must be 
updated. Assignment of an IT officer to act as a hub for collating and a single point of 
contact for all issues, with delegated responsibility to ensure that all staff and procedures 
are compliant. This solution is preferred to entirely outsourcing IT services unless the service 
provider can be vetted for reliable, adequate provision of service. There should, in any case, 
remain a person delegated in control in house who will be a new hire immediately. 


The current nonfunctional server must be replaced, Windows Server 2016 Standard is 
recommended, with sufficient Client Activation License’s (CAL’s) as Windows 2016 Server 
has had more time to mature than newer release server versions (Willa, n.d.). Establish the 
server as a Domain Controller so that workstations can be joined to the domain and setup 
users and effective group policies to control workstation permissions and access to 
resources. 


There are many competitors in the security software marketplace. It is essential to choose a 
solution that is independently evaluated for detection performance and has a reliable track 
record since the most effective spread of malware is the 0-day period when no vendor yet 
has a signature method detection and, robust heuristic or other method of detection 
including behavioural analysis is the only protection (NOD32 user (Willtech) & et al., n.d.). 
Briefly evaluating the Virus Bulletin VB100 list for validation of consistent detection of in- 
the-wild malware and AV-Comparatives for independent analysis with a published 
methodology, ESET have performed consistently in all tests with their various products over 
many years achieving several industry awards for performance and detection, with regular 
automatic updates, all required enterprise features for the small SOE and, excellent 
performance characteristics (Virus Bulletin, n.d.)(AV-Comparatives, n.d.). ESET Endpoint 
Security is a business and enterprise level software with ESET Security Management Center 
server installation and is the chosen product (ESET, n.d.-b). ESET is recognized as a visionary 
by Gartner (ESET, n.d.-a). Purchase, install and configure the security software and perform 
a full scan of each newly installed workstation and server. 


Workstations require Windows 10 Professional to join to the domain (Microsoft, n.d.). The 
specification does not state the age of the hardware so, 32/64 bit software licenses must be 
purchased. Perform an isolated clean install, install, configure and update security software 
and all available security updates for the operating system. Join to the new SOE domain; 
membership provides permission via group policy. A push installation of security software is 
possible with ESET Endpoint Security including configuration. 


Ensure all software is configured for automatic installation of recommended security 
updates and patches, including Microsoft Office and application software, and install an 
independently verified business or enterprise-grade anti-malware solution on all 
workstations and servers on the SOE. The anti-malware solution should include email 
checking with anti-malware and anti-spam irrespectively and support for checking of 
network, remote, and removable media. 
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If the email is hosted remotely by an ISP or service provider, ensure that server spam 
filtering is configured to protect the inbox while not inhibiting regular communications. 
Implement checked Realtime Block Lists (RBL’s) and mail standard validation on the email 
server according to the applicable Request For Comment’s (RFC’s). This includes checking 
valid sender address, invalid sender domain detection and, blank return paths, even in 
preference to SpamAssassin or similar (Klensin, 2004)(mbv_editor, n.d.). Additionally, the 
mail server should be configured to check before accepting a message for delivery to 
eliminate email backscatter. If your mail host cannot provide the necessary configuration, 
consider another or, if budget allows and suitable staff are available then, bring email 
services in house. 


Remove and change all inboxes and email addresses associated with the previous ransom 
attempt and update all email and network passwords. Limit or remove all wildcard email 
addresses. Wherever possible avoid the use of generic email addresses such as admin@, 
info@, etc. to limit guessing of address to spam or attach and note email addresses further 
down the alphabet are generally in receipt of less spam (Clayton, 2008). 


The QNap will require careful manual configuration since cloud services often operating 
through a STUN server (an outside server the use of which allows a connection to an 
internal device without the need for port forwarding through the use of outgoing 
connections) present the possibility of backdoor access to the network in addition to 
unsupervised remote access (Rand, n.d.). In addition if media features are not required they 
should be disabled. All existing backups must be quarantined; this can be achieved by 
removal of existing hard disks from the QNap and installation of new ones. A new local 
backup regime will need to be established and provision made for off-site backup to allow 
for disaster recovery. 


All network passwords must be individual and compliant with the Information Technology 
Policy and Procedure Manual. Group Policy should provide dedicated privileges and shared 
resources configured with only required access privileges. Software restrictions should 
enforce that only allowed software can be installed to aid in prohibiting undetected 
malware, and user accounts configured to the lowest possible privilege for the required task 
of the user and, use of privileged accounts restricted. 


Additional consideration should be given to the need for full-disk-encryption and restricting 
access to foreign Wi-Fi networks given that the workstations are notebook PC’s and may be 
portable. 


A full implementation plan should be written. 


Budget 


Presuming that there are currently five notebook workstations being one per employee and 
an additional five are purchased with Windows 10 Pro pre-installed to allow for expansion, 
the costs are based on a technical services day rate of $880.00 inc-GST on-site plus $143.00 
inc-GST per hour ad-hoc with additional purchased 20 hours per half-year remote or on-site 
service/support/training $4,000 inc-GST annually. 


Assessment 3: Report on countermeasures 
Damian A. James Williamson 


Initial Cost 

The initial cost is expected to be in the order of S 22,624.00 with new server hardware, 
server operating system, workstation operating systems, security software, hard disks and, 
modem router and, including three days service fees for labour and one day for training. 
Additionally, the service provider may have to complete the policy documents. 


Server - S 5,308.00 (Budget PC, n.d.) 

Server Operating System + CAL’s - $ 1,652.00 + S$ 504.00 (i-Tech, n.d.-b)(i-Tech, n.d.-a) 
New Workstations - $ 6.995.00 (Centre Com, n.d.) 
Workstation Operating Systems - $ 1,405.00 (i-Tech, n.d.-c) 
Security Software - S$ 600.00 estimated 

Hard Disks - $ 1,200.00 estimated 

Off-site Backup -$ 65.00 per month estimated 

Modem Router - $ 250.00 estimated 

Site induction & Service - $ 2,640.00 

Training -S 880.00 

Shipping -S 125.00 estimated 


Variance - S 1,000.00 


Maintenance 

A scheduled two-hour service visit each three months is sufficient to cover basic 
maintenance for the small JL SOE, to check everything is running smoothly and is up to date 
and perform basic maintenance. This is included in the purchased support. 


Ongoing Support 

Training, support and service are included in the purchased support package with a budget 
of eighteen hours each six months for a total cost of S 4,000.00 inc-GST per annum. 
Additional service exceeding budget is available at a cost of $143.00 inc-GST per hour. 
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